[Samba] visibility of groups when multiple Samba servers use the same LDAP server

Rowland Penny rpenny at samba.org
Mon Feb 11 15:33:32 UTC 2019 

On Mon, 11 Feb 2019 15:40:02 +0100
Matthias Leopold via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:
> > On Mon, 11 Feb 2019 13:46:05 +0100
> > Matthias Leopold via samba <samba at lists.samba.org> wrote:
> > 
> >>
> >>
> >> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
> >>> On Mon, 11 Feb 2019 12:30:51 +0100
> >>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> we are using a _single_ LDAP server as backend for _multiple_
> >>>> Samba standalone file servers (security=user). This LDAP server
> >>>> serves mainly other purposes and access for Samba is read only
> >>>> so the situation is not optimal but "it works for us". Still I
> >>>> don't understand one phenomenon concerning visibility of LDAP
> >>>> groups.
> >>>>
> >>>> The LDAP configuration in smb.conf for all our Samba servers is
> >>>> basically like this (with each server having it's own branch for
> >>>> "ldap group suffix", that's the point):
> >>>>
> >>>> passdb backend = ldapsam:ldap://ldap.domain.tld
> >>>> ldap suffix = dc=domain,dc=tld
> >>>> ldap user suffix = ou=people
> >>>> ldap group suffix = ou=server01,ou=smb,ou=Groups
> >>>>
> >>>> NSS uses LDAP via SSSD like this:
> >>>>
> >>>> [domain/LDAP]
> >>>> id_provider = ldap
> >>>>
> >>>> ldap_uri = ldap://ldap.domain.tld
> >>>> ldap_search_base = dc=domain,dc=tld
> >>>>
> >>>> ldap_user_search_base = ou=People,dc=domain,dc=tld
> >>>> ldap_group_search_base =
> >>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
> >>>>
> >>>> The sambaDomainName is stored in an entry in LDAP path
> >>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all
> >>>> use the same SID.
> >>>>
> >>>> This setup is not exactly pretty, but it "works". Still,
> >>>> unexpectedly Samba on server01 sees groups in other branches than
> >>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
> >>>>
> >>>> example:
> >>>> - group is
> >>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
> >>>> - on server01 this group is visible with "net groupmap list
> >>>> ntgroup=testgroup"
> >>>> - "getent group testgroup" does not work (as expected)
> >>>> Why is this?
> >>>>
> >>>> thx
> >>>> matthias
> >>>>
> >>>
> >>> You are going to have to give us more info ;-)
> >>> What OS's ?
> >>> What version(s) of Samba ?
> >>> Have there been any updates/upgrades to anything ?
> >>>
> >>> Rowland
> >>>
> >>
> >> thx for quick reply.
> >> Samba is 4.8.3 on CentOS 7.
> >> LDAP server is IBM Tivoli Directory Server on AIX.
> >> The situation has always been like this, upgrades didn't change
> >> anything.
> >>
> >> Matthias
> >>
> > 
> > It sounds like you are running Samba in much the same way as a PDC
> > and in a very old way, but I cannot be sure about this because you
> > seem to be refusing to post your smb.conf.
> > 
> > You posted:
> > 
> > Still, unexpectedly Samba on server01
> > 
> > To me, A native English speaking person, that sounds like your
> > problem had just started. I think you meant:
> > 
> > However, Samba on server01
> > 
> > If your NON_PDC PDC is set up correctly, 'getent group testgroup'
> > would work.
> > 
> > Rowland
> > 
> 
> Thanks for help.
> 
> I'm attaching the output of "testparm" for one of the servers.
> Indeed I wanted to express "However, Samba on server01", I wasn't
> aware of this potential for misunderstanding, sorry.

No Problem, it was just a misunderstanding, I misunderstood what you
meant, but I understand now.

> I don't know any recent SAMBA + LDAP documentation, I roughly follow 
> https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a
> PDC with smbldap-tools a long time ago, but I know that this is not a
> PDC right now. What are the differences for non PDC servers?

Not much, what you are running is a PDC, you just don't have any
clients. As for recent Samba with LDAP documentation, there isn't any
and there isn't any real impetus to write any, they are a dying
breed ;-) It is much easier to set up an Samba AD DC domain
 
> 
> When I tell Samba + NSS to use LDAP branch 
> 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information
> I don't expect that group 'testgroup' in branch 
> 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.

Try setting up a test computer and use this smb.conf:

[global]
    workgroup = SAMBA
    security = USER
    server max protocol = NT1
    passdb backend = ldapsam    
    ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
    ldap suffix = dc=domain,dc=tld    
    ldap group suffix = ou=group01,ou=smb,ou=Groups
    ldap user suffix = ou=people
    idmap config * : range = 500-19999 
    idmap config * : backend = ldap
    idmap config * : ldap_url = ldap://ldap.domain.tld
    idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld
    idmap config * : ldap_user_dn = uid=ldapadmin,ou=services,dc=domain,dc=tld

    map acl inherit = Yes
    store dos attributes = Yes
    vfs objects = acl_xattr

[foo_home]
    admin users = +foo_admin
    browseable = No
    path = /srv/foo/lv01/home
    read only = No

if that doesn't work, pretend your AIX server is an AD DC and follow
this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

More information about the samba mailing list